Add Parser::parseUnencrypted()
#814
Conversation
The following code works fine and is totally safe, but triggers a static analysis error due to the loose return type of `Parser::parse()`: ```php $token = (new Parser(new JoseEncoder()))->parse($jwtString); $token->claims(); // PHPStan says: Call to an undefined method Lcobucci\JWT\Token::claims(). ```
|
I have the feeling that |
|
Nah, perfectly valid for an implementation to return a more specific type. The fact that the parser implementation may return new token types in future would become a BC break, which is also fine to have as an explicit transition. |
src/Token/Parser.php
Outdated
| @@ -26,7 +26,7 @@ public function __construct(Decoder $decoder) | |||
| $this->decoder = $decoder; | |||
| } | |||
|
|
|||
| public function parse(string $jwt): TokenInterface | |||
| public function parse(string $jwt): Plain | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
Thanks for pointing me towards this previous work. I took inspiration from your approach in JwtFacade::parse() and extended Parser itself with a method that expects to only handle unencrypted tokens.
| * | ||
| * @throws InvalidTokenStructure if the input unexpectedly decodes to an encrypted token. | ||
| */ | ||
| public function parseUnencrypted(string $unencrypted): UnencryptedToken |
There was a problem hiding this comment.
I don't know how to test this, other than repeating the tests for parse() - perhaps they should be parameterized with a data provider to test both parse() and parseUnencrypted()?
| { | ||
| $token = $this->parse($unencrypted); | ||
|
|
||
| if (! ($token instanceof UnencryptedToken)) { |
There was a problem hiding this comment.
This will lead to escaped mutants, can this be ignored for infection testing?
|
I left the extension point on purpose and would prefer not to remove it or provide different methods to handle this. JWTs are usually user input and I believe it's responsibility of the users of this library to rely on the interface and verify they have the expected type of token. The facade is there to offer a simplified API, it's only pending docs and a few more tests (that I couldn't do yet). Doesn't it satisfy your needs? |
I can follow your reasoning, but I want to point out that it is somewhat arbitrary where the line is drawn. The following are all examples of a client not parsing a proper JWT:
Calling
The facade is doing something quite similar to this proposed API: it combines multiple assumptions about the passed in JWT. However, it does so at a more coarse level - requiring two additional constraints. I think this shows that there is a spectrum of how much constraints the library methods validate, and I believe this pull request is closing a gap between the currently existing two extremes.
Due to reasons outside of my immediate control, we are currently forced to forgo time based validation of the tokens we handle. Would you be more comfortable if I were to add this method as |
|
@spawnia sorry about my lack of response here (
Then you could still rely on it but provide your own implementation of a I've posted on #822 some more thoughts on this encrypted/unencrypted thing. It would be nice to have your PoV there =) |
|
Closing here for now as that's not the direction I'd like us to take. The main "conflict point" is that in my understanding of the RFC an encrypted/nested JWT is still a JWT, therefore parsing should not provide guarantees but support both types. |
The following code currently works fine, but triggers a static analysis error due to the loose return type of
Parser::parse():I understand from previous discussion that
Parser::parse()may also be used to handle encrypted tokens in the future.Instead of handling other possible parse results in the application - and duplicating proper error handling - I think it is valuable for this library to offer a method that only deals with unencrypted tokens. This way, application code is simplified and proper error handling is ensured. Thus, I propose the following new method: